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SANDWORM TEAM 


Update 1.11.16 - SANS ICS Team Connects Dots 

Updating the blog entry to bring attention to the recent analysis 
published by Mike Assante from the SANS ICS team. 

"After analyzing the information that has been made available 
by affected power companies, researchers, and the media it is 
clear that cyber attacks were directly responsible for power 
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outages in Ukraine. The SANS ICS team has been 
coordinating ongoing discussions and providing analysis 
across multiple international community members and 
companies. We assess with high confidence based on 
company statements, media reports, and first-hand analysis 
that the incident was due to a coordinated intentional attack." 

Read the full SANS post here - and see below for iSIGHT 


iSIGHT Partners Analyst Comment 


The SANS ICS blog confirms conclusions previously reached 
by iSIGHT regarding the nature of the Ukrainian attacks 
(specifically the role of destructive malware and phone 
disruption) and attribution to Sandworm Team. iSIGHT 
Partners believes this incident is a milestone because it is the 
first major cyber attack to substantially affect the civilian 
population and because of the overwhelming importance of 
the grid to multiple reliant sectors. Furthermore, Sandworm 
Team's previous interest in US and European critical systems 
underscores the threat they pose (see below for more on 
Sandworm Team.) 

Sandworm Team - Historical Targeting of Ukraine and 
Interest in SCADA Systems 

Since last week, iSIGHT Partners has worked to provide 
details on the power outage in Ukraine to our global 
customers. We have analyzed the forensic evidence we have 
been able to obtain from the region, contextualizing it within 
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our knowledge of cyber espionage actors. Many details of the 
event remain unknown, and given the nature of the incident, 
especially the use of destructive malware, we do not anticipate 
every detail will be exposed. 

However, we have linked Sandworm Team to the incident, 
principally based on BlackEnergy 3, the malware that has 
become their calling card. 

iSiGHT Partners has tracked Sandworm Team for some time - 
and we publicly reported on some of their activities in October 
2014 . when we discovered their use of a zero-day exploit, 
CVE-2014-4114 . In that campaign, we saw targeting of 
Ukrainian government officials, members of the EU and 
NATO. Shortly after releasing information on their espionage 
operations, our friends at Trend Micro found evidence that the 
operators were not only conducting classic strategic 
espionage but targeting SCADA systems as well. Evidence of 
this accumulated, and iSIGHT Partners released a follow-up 
bloo were we assessed that activity was reconnaissance for 
attack - a preparation for cyber attack to be carried out in the 
long term. ICS-CERT released a separate advisor as well. 

Sandworm Team Activity - Late 2014 to Current Day 

Sandworm Team went to ground shortly after being exposed 
in October of 2014, and malware with Dune references (the 
genesis for the 'Sandworm' moniker) which we had previously 
used to track them disappeared entirely. However, the unique 
malware variant, BlackEnergy 3, reemerged in Ukraine early 
in 2015, where we had first found Sandworm Team. 
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Throughout 2015 we saw increased intrusion activity using 
BlackEnergy 3. We warned our clients of new features 
suggesting an increased focus on European targets - though 
verification of targets was not possible at the time. Additionally, 
we warned our customers about the targeting of both media 
and regional power authorities in the Ukraine, sectors later 
affected by cyber attacks. Some of this information was 
recently shared by the folks at ESET . who have also been 
following Sandworm Team very closely for quite some time. 

On the Ukrainian Power Authority Incidents 

Last week iSIGHT's sources provided us with the same 
KillDisk malware published by Rob Lee of SANS and Draaos 
Security . As ESET has, we place this malware within the 
greater context of activity tied to BlackEnergy 3, which we 
believe is Sandworm Team. We believe this KillDisk malware 
is related to the destructive malware leveraged during 
Ukrainian elections in October. At the time, CERT-UA 
connected that incident to BlackEnergy 3 . Symantec has since 
verified those claims . Furthermore, iSIGHT's own sources 
indicate that BlackEnergy 3 malware was deployed on at least 
one of the Ukrainian power systems affected by KillDisk. 

iSIGHT Partners is still collecting information on the 
mechanics of the power outage and what role the KillDisk 
malware played in the greater event. We cannot confirm that 
the KillDisk malware caused the outage. It may have been 
used following steps to manipulate power in order to impede 
restoration efforts or operator visibility. It is noteworthy that 
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technical support numbers associated with the power 
authorities were allegedly flooded with calls, which may have 
been an effort to further overwhelm responders. On their 
official website, the Ukrainian security service, SBU, made this 
claim. 

Outlook 

A cyber attack of this nature is a milestone -although a 
predictable one. The aggressive nature of Sandworm Team's 
previous activity in Europe and the United States exposed 
their interest in targeting critical systems and indicated 
preparation for cyber attack. Targeting of critical entities in 
Ukraine throughout 2015, during a time of war, further 
presaged a desire to disrupt infrastructure. 



